1 1 00:00:00,090 --> 00:00:01,650 In this lesson, we'll be talking 2 2 00:00:01,650 --> 00:00:04,020 about step seven in the real world. 3 3 00:00:04,020 --> 00:00:06,240 Step seven is the monitor step. 4 4 00:00:06,240 --> 00:00:07,800 The purpose of the monitor step 5 5 00:00:07,800 --> 00:00:10,230 is to maintain ongoing situational awareness 6 6 00:00:10,230 --> 00:00:13,020 about the security and privacy posture of the system 7 7 00:00:13,020 --> 00:00:16,560 and organization to support risk management decisions. 8 8 00:00:16,560 --> 00:00:18,150 When we look at the monitor step, 9 9 00:00:18,150 --> 00:00:20,790 we are really focused on five main outcomes. 10 10 00:00:20,790 --> 00:00:22,650 First, the system and environment 11 11 00:00:22,650 --> 00:00:24,450 of operation is going to be monitored 12 12 00:00:24,450 --> 00:00:27,210 in accordance with the continuous monitoring strategy. 13 13 00:00:27,210 --> 00:00:29,040 Second, ongoing assessments 14 14 00:00:29,040 --> 00:00:31,080 of control effectiveness are conducted 15 15 00:00:31,080 --> 00:00:33,810 in accordance with the continuous monitoring strategy. 16 16 00:00:33,810 --> 00:00:36,570 Third, the output of continuous monitoring activities 17 17 00:00:36,570 --> 00:00:38,790 is analyzed and responded to. 18 18 00:00:38,790 --> 00:00:40,590 Fourth, there's a process in place 19 19 00:00:40,590 --> 00:00:44,220 to report security and privacy posture to your management. 20 20 00:00:44,220 --> 00:00:47,070 And fifth, ongoing authorizations are conducted 21 21 00:00:47,070 --> 00:00:50,100 using the results of continuous monitoring activities. 22 22 00:00:50,100 --> 00:00:52,890 So as you can see, when it comes to step seven, 23 23 00:00:52,890 --> 00:00:55,080 we are really focused on this whole idea 24 24 00:00:55,080 --> 00:00:57,840 of monitoring to be able to continuously monitor 25 25 00:00:57,840 --> 00:00:59,820 your controls that have been implemented 26 26 00:00:59,820 --> 00:01:02,280 earlier on in the RMF process. 27 27 00:01:02,280 --> 00:01:04,200 This means we understand all of the risk 28 28 00:01:04,200 --> 00:01:06,300 to our system and we understand 29 29 00:01:06,300 --> 00:01:07,530 what controls we put in place 30 30 00:01:07,530 --> 00:01:09,180 and we're verifying those controls 31 31 00:01:09,180 --> 00:01:12,600 remain effective against those different risks. 32 32 00:01:12,600 --> 00:01:15,270 At this point in the risk management framework process, 33 33 00:01:15,270 --> 00:01:16,770 you're basically doing all the work 34 34 00:01:16,770 --> 00:01:18,780 of a cybersecurity analyst to make sure 35 35 00:01:18,780 --> 00:01:20,790 your risk controls are meeting the need 36 36 00:01:20,790 --> 00:01:22,410 and giving you the desired outcome 37 37 00:01:22,410 --> 00:01:23,970 that you're trying to achieve. 38 38 00:01:23,970 --> 00:01:25,680 This makes sure that people aren't breaking 39 39 00:01:25,680 --> 00:01:27,270 into your network and that everything 40 40 00:01:27,270 --> 00:01:29,610 is working properly and if it's not, 41 41 00:01:29,610 --> 00:01:31,050 you want to be able to catch that, 42 42 00:01:31,050 --> 00:01:32,850 go ahead and figure out what's going wrong, 43 43 00:01:32,850 --> 00:01:34,500 and what risks are being realized, 44 44 00:01:34,500 --> 00:01:36,240 and then you could select new controls 45 45 00:01:36,240 --> 00:01:38,070 to mitigate those risks and implement 46 46 00:01:38,070 --> 00:01:39,870 those controls by going back to step three 47 47 00:01:39,870 --> 00:01:42,120 by selecting your controls and going into step four 48 48 00:01:42,120 --> 00:01:43,980 to implement those controls. 49 49 00:01:43,980 --> 00:01:45,180 This is really what we're focused 50 50 00:01:45,180 --> 00:01:48,120 on by doing this all in a continuous manner. 51 51 00:01:48,120 --> 00:01:51,810 Now, when it comes to RMF and specifically step seven, 52 52 00:01:51,810 --> 00:01:54,060 this is where you really want to pair RMF 53 53 00:01:54,060 --> 00:01:56,490 with the NIST cybersecurity framework. 54 54 00:01:56,490 --> 00:01:58,290 Because the NIST cybersecurity framework 55 55 00:01:58,290 --> 00:02:01,350 is really focused on the life cycle of an incident. 56 56 00:02:01,350 --> 00:02:03,180 And so this whole idea of monitoring 57 57 00:02:03,180 --> 00:02:05,040 is really useful as it ties 58 58 00:02:05,040 --> 00:02:06,270 from the risk management framework 59 59 00:02:06,270 --> 00:02:08,640 into the NIST cybersecurity framework. 60 60 00:02:08,640 --> 00:02:10,830 If you look at the NIST cybersecurity framework, 61 61 00:02:10,830 --> 00:02:13,110 it really is a five step process 62 62 00:02:13,110 --> 00:02:15,120 that focuses on identification, 63 63 00:02:15,120 --> 00:02:17,790 protection, detection, response, 64 64 00:02:17,790 --> 00:02:20,280 and recovery from a given incident. 65 65 00:02:20,280 --> 00:02:21,113 Now, when you're looking 66 66 00:02:21,113 --> 00:02:22,740 at the NIST cybersecurity framework, 67 67 00:02:22,740 --> 00:02:25,650 the first step is that identification step. 68 68 00:02:25,650 --> 00:02:27,540 This really links to steps one and two 69 69 00:02:27,540 --> 00:02:29,370 inside the risk management framework 70 70 00:02:29,370 --> 00:02:31,290 of prepare and categorize, 71 71 00:02:31,290 --> 00:02:33,120 because we're going to see what our systems are, 72 72 00:02:33,120 --> 00:02:36,120 and what type of data they're holding and processing. 73 73 00:02:36,120 --> 00:02:37,920 Then we move into the second step 74 74 00:02:37,920 --> 00:02:39,600 of the NIST cybersecurity framework, 75 75 00:02:39,600 --> 00:02:41,250 which is protection. 76 76 00:02:41,250 --> 00:02:42,900 When we're in the protection step, 77 77 00:02:42,900 --> 00:02:45,930 we are really focused on selecting our controls 78 78 00:02:45,930 --> 00:02:47,550 and then implementing those controls 79 79 00:02:47,550 --> 00:02:49,410 and assessing those controls. 80 80 00:02:49,410 --> 00:02:50,610 By doing all of that 81 81 00:02:50,610 --> 00:02:52,290 we are really looking at steps three, 82 82 00:02:52,290 --> 00:02:55,590 four, and five of the risk management framework. 83 83 00:02:55,590 --> 00:02:57,210 Then if we move into step three 84 84 00:02:57,210 --> 00:02:59,040 of the NIST cybersecurity framework, 85 85 00:02:59,040 --> 00:03:01,260 we are looking at the detection stage. 86 86 00:03:01,260 --> 00:03:02,940 This really links to step seven 87 87 00:03:02,940 --> 00:03:04,410 of the risk management framework, 88 88 00:03:04,410 --> 00:03:05,640 where you are monitoring all 89 89 00:03:05,640 --> 00:03:08,220 of your controls and seeing how effective they are. 90 90 00:03:08,220 --> 00:03:09,960 If you're monitoring a control and you see 91 91 00:03:09,960 --> 00:03:12,120 that somebody has broken that control, 92 92 00:03:12,120 --> 00:03:14,160 this means that you now have detected 93 93 00:03:14,160 --> 00:03:16,050 some kind of an incident and you would move 94 94 00:03:16,050 --> 00:03:17,910 into the instant response part 95 95 00:03:17,910 --> 00:03:19,710 of the NIST cybersecurity framework, 96 96 00:03:19,710 --> 00:03:21,810 moving from step three of detection 97 97 00:03:21,810 --> 00:03:25,350 into steps four and five of response and recovery. 98 98 00:03:25,350 --> 00:03:26,670 Now, you may have noticed 99 99 00:03:26,670 --> 00:03:28,980 that the risk management framework, step six, 100 100 00:03:28,980 --> 00:03:30,840 which is the authorization step, 101 101 00:03:30,840 --> 00:03:32,340 wasn't really covered as part 102 102 00:03:32,340 --> 00:03:34,110 of the NIST cybersecurity framework. 103 103 00:03:34,110 --> 00:03:35,310 And the reason for that 104 104 00:03:35,310 --> 00:03:37,260 is the NIST cybersecurity framework tends 105 105 00:03:37,260 --> 00:03:40,380 to be used as an ongoing daily basis type of thing, 106 106 00:03:40,380 --> 00:03:42,300 whereas the risk management framework 107 107 00:03:42,300 --> 00:03:44,610 is more of a one time setup 108 108 00:03:44,610 --> 00:03:46,560 when you're going through steps one through six 109 109 00:03:46,560 --> 00:03:50,010 and getting that authorization to operate or ATO. 110 110 00:03:50,010 --> 00:03:52,230 Once you've done that and you move into step seven, 111 111 00:03:52,230 --> 00:03:54,390 that really is where you're focusing on steps three, 112 112 00:03:54,390 --> 00:03:57,030 four, and five of the NIST cybersecurity framework 113 113 00:03:57,030 --> 00:04:00,030 with detection, response, and recovery. 114 114 00:04:00,030 --> 00:04:02,160 So I know I covered that pretty quickly 115 115 00:04:02,160 --> 00:04:04,500 in terms of the NIST cybersecurity framework, 116 116 00:04:04,500 --> 00:04:06,270 and the reason for that is because we already 117 117 00:04:06,270 --> 00:04:08,010 have an entire course dedicated 118 118 00:04:08,010 --> 00:04:09,990 to the NIST cybersecurity framework. 119 119 00:04:09,990 --> 00:04:11,640 So if you want to learn more 120 120 00:04:11,640 --> 00:04:13,920 about implementing the NIST cybersecurity framework, 121 121 00:04:13,920 --> 00:04:15,937 I recommend you join our course called 122 122 00:04:15,937 --> 00:04:18,330 "Implementing the NIST Cybersecurity Framework," 123 123 00:04:18,330 --> 00:04:20,790 which really focuses on each of those five steps 124 124 00:04:20,790 --> 00:04:23,970 in depth and covers multiple hours worth of information. 125 125 00:04:23,970 --> 00:04:26,070 So you can apply the NIST cybersecurity framework 126 126 00:04:26,070 --> 00:04:27,570 in your own organization 127 127 00:04:27,570 --> 00:04:29,160 and it comes with everything you need, 128 128 00:04:29,160 --> 00:04:31,140 including templates on how to implement it 129 129 00:04:31,140 --> 00:04:32,826 in the real world. 130 130 00:04:32,826 --> 00:04:34,926 (electronic tone buzzing)